Expert Advice Community

Guest

Filling SoA justification

  Quote
Guest
Guest user Created:   Sep 09, 2019 Last commented:   Sep 09, 2019

Filling SoA justification

I have a question about control A.12.6.1 handling of technical vulnerabilities (inside the SoA table). In the column „reason for selection / exclusion“ I could basically enter almost any risk from the risk assessment table. Cause a lot of risks are based on technical things. I'm guessing that's not the way to go(?) For some other controls out of this table I have chosen general statements as the "reason for selection / exclusion“ without mentioning the concrete risks out of the risk assessment table. Would that make sense with control A 12.6.1, too?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 09, 2019

Answer:

In fact entering the whole risks from the risk treatment table in the SoA is not the best way to justify applicable controls. What you can do is to include only the risk ID of the risks related to control A.12.6.1, according to your Risk treatment table. For example, you could write "Risk 001, 003, and 023 ".
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 09, 2019

Sep 09, 2019

Suggested Topics

Guest user Created:   Mar 10, 2019 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Jul 27, 2018 ISO 27001 & 22301
Replies: 1
0 0

Filling templates

Guest user Created:   Jul 29, 2017 ISO 27001 & 22301
Replies: 1
0 0

SoA content